Bug 627191
Summary: | SELinux is preventing /usr/bin/gconftool-2 "create" access on linc-92e-0-1a9593a234557. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeff Layton <jlayton> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 14 | CC: | domg444, dominick.grift, dwalsh, mgrepl, steved |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:2e91a989eb1c46b23cdb9b99c0ad56d2949fb871501773a9fb32027a77407671 | ||
Fixed In Version: | selinux-policy-3.9.0-2.fc14 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-09-08 04:31:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeff Layton
2010-08-25 10:53:19 UTC
Dominick Should I just add manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file}) There's another related warning too (setattr instead of create): node=corrin.poochiereds.net type=AVC msg=audit(1282742366.961:616): avc: denied { setattr } for pid=6196 comm="gconftool-2" name="orbit-jlayton" dev=sda3 ino=1379483 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir node=corrin.poochiereds.net type=SYSCALL msg=audit(1282742366.961:616): arch=c000003e syscall=132 success=no exit=-13 a0=1e85790 a1=7fff924fea70 a2=7fff924fe9e0 a3=1 items=0 ppid=2271 pid=6196 auid=4447 uid=4447 gid=4447 euid=4447 suid=4447 fsuid=4447 egid=4447 sgid=4447 fsgid=4447 tty=(none) ses=1 comm="gconftool-2" exe="/usr/bin/gconftool-2" subj=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 key=(null) I think: files_tmp_filetrans(telepathy_msn_t, telepathy_msn_t, { dir file sock_file }) and: userdom_usr_tmp_filetrans(telepathy_msn_t, telepathy_msn_t, sockfile) the setattr or orbit can be dontaudited ( that is what i do) so it creates a sock_file in /tmp/orbit-USER, plus it creates a dir in /tmp and puts a sock_file in there atleast (and i believe also a file) I made some syntax errors in my examples above but i hope you get the idea dir file sock file in /tmp (tmp_t) sock_file in /tmp/orbit-USER (user_tmp_t) do not audit attempts to set attributes of user temporary directories. (user_tmp_t/orbit-USER) Basically user apps only create sock_files in /tmp/orbit-USER and they try to set attributes of /tmp/orbit-USER (that what all gnome user apps do) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, sock_file) userdom_dontaudit_setattr_tmp_dir(telepathy_msn_t) and besides that: manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) It creates this for file sharing with butterfly. Fixed in selinux-policy-3.8.8-21.fc14 selinux-policy-3.9.0-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14 selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14 selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |